| Summary: | HTTP Basic Auth in URL not used | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Janik Besendorf <janik> |
| Component: | Page Loading | Assignee: | Nobody <webkit-unassigned> |
| Status: | REOPENED --- | ||
| Severity: | Normal | CC: | annevk, ap, beidson, janik, karlcow, webkit-bug-importer, youennf |
| Priority: | P2 | Keywords: | BrowserCompat, InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
|
Description
Janik Besendorf
2023-09-19 06:36:29 PDT
I think that this may be intentional, but cannot remember the details. Adding some people who may know. Yeah, this would make it very easy to perform dictionary attacks or phish the end user in some way. Various groups, including the HTTP WG, have been deprecating this format for HTTP URLs. Firefox and Chrome support this feature on mobile and Desktop. I don't see how this could be used for phishing. Could you elaborate on this? Could you send a link to the HTTP WG statement? Thanks, I guess we should keep this open for now then. The phishing aspect for these URLs is mainly that you could put something before the `@` that might confuse the end user about where they are going. It's deprecated for all URLs apparently: https://www.rfc-editor.org/rfc/rfc3986.html#section-3.2.1. https://url.spec.whatwg.org agrees with this though states it in a less obvious manner. |